Social engineering to lead cybersecurity attacks

You might think you know your friends on Facebook and Twitter, but these services could end up being the next place you’re conned, according to a new report.

The security experts at US cybersecurity company Proofpoint have this week suggested that attackers won’t just be relying on malware and the odd virus to break into people’s otherwise secure bank accounts, but will also employ social engineering to get what they want.

Specifically, attackers will be looking at ways to trick you into handing over information, which is what apparently gained momentum in 2015.

“People’s natural curiosity and gullibility is now targeted at an unprecedented scale,” said Kevin Epstein, Vice President of Threat Operations for Proofpoint.

“Attackers largely did not rely on sophisticated, expensive technical exploits. They ran simple, high-volume campaigns that hinged on social engineering. People were used as unwitting pawns to infect themselves with malware, hand over key credentials, and fraudulently wire money on the attackers’ behalf.”

That means that cybercriminals are essentially using your curiosity for information against you, with campaigns designed to trick you into infecting yourself or hand over information by way of phishing, much like those fake banking, tax refund, and eBay scams we’ve seen for the past few years.

Social engineering is similar to these, but also different, with social media used to get you to click on a story you might be interested in, and having this spread around the web using your friends and followers.

The social engineering goes beyond just using social media as a scam medium, though, with timing playing into when these scams were pushed out into the world.

Proofpoint’s research found that Tuesday mornings from 9 until 10 were the most popular for phishing attempts, while social engineering over social media was higher in the afternoon.

That at least gives you some times to watch out for, but that’s not the only piece of information you need for staying vigilant, especially now that social media phishing scams have been recognised as 10 times more common than social media malware, according too Proofpoint, with forty percent of Facebook accounts faking affiliation with a brand.

According to Proofpoint’s Epstein, however, education is still key with training necessary to keep people safe.

“The solution is to understand that [people are just being people],” he said to GadgetGuy, “to acknowledge that people will click, and use training and technology to minimise and contain those incidents and effects.”

This might be training you have at work in organisations with a social media policy, or even just for yourself when you see scams and phishing links and learning not to click, teaching yourself that it’s not worth the effort or the drama to see what is at the bottom of a click bait scam.

The next time you see a story on the side of Facebook or a link that seems too good to be true — say a free voucher to an electronics store, for instance — you might want to consider not clicking, and only reading stories that seem true blue.